Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 99a3d5d8 authored by Jeff Sharkey's avatar Jeff Sharkey Committed by mse1969
Browse files

DO NOT MERGE. KEY_INTENT shouldn't grant permissions. 

KEY_INTENT has no business granting any Uri permissions, so remove
any grant flags that malicious apps may have tried sneaking in.

Also fix ordering bug in general-purpose security check that was
allowing FLAG_GRANT_PERSISTABLE to bypass it.

Test: builds, boots
Bug: 32990341, 32879915
Change-Id: I657455a770c81f045ccce6abbd2291407a1cfb42
(cherry picked from commit d722e780)
parent 754c510f

services/java/com/android/server/accounts/AccountManagerService.java

+3 −0
Original line number Diff line number Diff line
@@ -2199,6 +2199,9 @@ public class AccountManagerService 
            Intent intent = null;

            if (result != null

                    && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {

                intent.setFlags(intent.getFlags() & ~(Intent.FLAG_GRANT_READ_URI_PERMISSION

                        | Intent.FLAG_GRANT_WRITE_URI_PERMISSION

                        | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION));

                /*

                 * The Authenticator API allows third party authenticators to

                 * supply arbitrary intents to other apps that they can run,

services/java/com/android/server/am/ActivityManagerService.java

+13 −0
Original line number Diff line number Diff line
@@ -6156,6 +6156,19 @@ public final class ActivityManagerService extends ActivityManagerNative 
            return -1;

        }









        // Bail early if system is trying to hand out permissions directly; it









        // must always grant permissions on behalf of someone explicit.









        final int callingAppId = UserHandle.getAppId(callingUid);









        if (callingAppId == Process.SYSTEM_UID) {









            if ("com.android.settings.files".equals(uri.getAuthority())) {









                // Exempted authority for cropping user photos in Settings app









            } else {









                Slog.w(TAG, "For security reasons, the system cannot issue a Uri permission" +









                       " grant to " + uri.getAuthority() + "; use startActivityAsCaller() instead");









                return -1;









            }









        }

















        final String authority = uri.getAuthority();









        final ProviderInfo pi = getProviderInfoLocked(authority, UserHandle.getUserId(callingUid));









        if (pi == null) {